Secure Email

Contents

Overview

SMTP, IMAP, and POP / POP3 are unencrypted transmission protocols by default (like HTTP). One method to run them securely is to use TLS, or its predecessor SSL, as in HTTPS.

DreamHost mail servers support TLS automatically when you select TLS or SSL in your email client. You must also use the appropriate port for TLS connections:

Secure SMTP - port 465 (outgoing)

Secure IMAP - port 993 (incoming)

Secure POP3 - port 995 (incoming)

Note:

Some clients will set the port automatically when you select TLS/SSL, or select TLS/SSL automatically when you select the appropriate port. Other clients will require that you make both selections in order to fully configure SSL for the appropriate service.

Another method uses STARTTLS. The STARTTLS method connects to the regular SMTP/IMAP/POP3 port and then upgrades the connection to TLS by sending a STARTTLS request. Some email clients refer to this as "TLS" and the method of directly using encryption to a different port as "SSL". This distinction is technically incorrect!

Note:

As of January 2015, STARTTLS is not supported at DreamHost.

What does TLS buy me?

Encrypted communications

Your login information and email messages are sent in encrypted form, so people can't eavesdrop on them.

Server authentication

With certificates properly set up, you can check that the IMAP/POP server that you're connecting to is the correct machine (and not an impostor that just wants to steal your password.) The server provides a certificate (public key) which corresponds to a private key on the IMAP/POP server. Once the client knows that the server's public key is authentic, it can validate communications from that server.

These are particularly useful if using public Wi-Fi, which may not be encrypted – these ensure that people can’t read your email by listening to the network, nor can they (more intrusively) set up a fake email server to capture your emails.

Alternatives

For wireless, you should really be using WPA2, but that’s not always available.

You can also use Webmail over a secure (HTTPS) connection.

Dealing with Certificate Problems

Problem: You connect via SSL to your mail server mail.yourdomain.com but there's a name mismatch because the SSL certificate points to *.mail.dreamhost.com instead. See Certificate Domain Mismatch Error.